McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

MultiDropper-RL

This page shows details and results of our analysis on the malware MultiDropper-RL

Threat Detail

Malware Type: Trojan

Malware Sub-type: Dropper

Discovery Date: 2007-03-22

Next Steps:

Overview

This is a detection for a malware dropper that masquerades as a installer for the "Omerta" game. The installed malware dropper can be proactively detected as PWS-Progent since DAT version 4584 (Sep 19th, 2005).


Minimum DAT

4991 (2007-03-23)

Updated DAT

4991 (2007-03-23)

 Minimum Engine

5.1.00

File Length

792,559 bytes

 Description Added

2007-03-22

Description Modified

2007-03-23

Malware Proliferation

Characteristics

-- Update March 23, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.eweek.com/article2/0,1895,2106759,00.asp

--

This is a detection for a malware dropper that masquerades as a installer for the "Omerta" game. The installed malware dropper can be proactively detected as PWS-Progent since DAT version 4584 (Sep 19th, 2005) preventing further malicious actions.

Upon execution, it can display the following message dialog(s) to install "Omerta":

Instead of installing "Omerta" into C:\Omerta (default folder), it drops the following file(s):

  • C:\Omerta\read me.bat (proactively detected as PWS-Progent since 4584 DATs)
  • C:\Omerta\war.scr (proactively detected as PWS-Progent since 4584 DATs)
  • %Windir%\target.exe (proactively detected as PWS-Progent since 4584 DATs)

(Where %Windir% is the Windows folder; e.g. C:\Windows)

These files may continue to install further files detected as the following:

 

Symptoms

Presence of one or more of the following file(s):

  • C:\Omerta\read me.bat (proactively detected as PWS-Progent)
  • C:\Omerta\war.scr (proactively detected as PWS-Progent)
  • %Windir%\target.exe (proactively detected as PWS-Progent)

    Possible presence of these other file(s):

  • %Windir%\System32\drivers\KeenSense.sys (text)
  • %Windir%\System32\drivers\ksdevice.sys (text)
  • %Windir%\System32\kurlmon.dll (proactively detected as BackDoor-AVW)
  • %Windir%\System32\k_urlmon.dll (keystrokes log)
  • %Windir%\qservice.exe (proactively detected as PWS-Progent)
  • %Windir%\services.dll (proactively detected as PWS-Progent.dll)
  • %Windir%\System32\Hookapi.dll (proactively detected as PWS-Progent.dll)

     

    • Method of Infection

    This malware dropper masquerades as a installer for the "Omerta" game.

    Removal

    All Users:

    Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

    1.Disable System Restore .

    2.Update to current engine and DAT files for detection and removal.

    3.Run a complete system scan.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    1. Please go to the Microsoft Recovery Console and restore a clean MBR.

    On windows XP:

    Insert the Windows XP CD into the CD-ROM drive and restart the computer.
    When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
    Select the Windows installation that is compromised and provide the administrator password
    Issue 'fixmbr' command to restore the Master Boot Record
    Follow onscreen instructions
    Reset and remove the CD from CD-ROM drive.


    On Windows Vista and 7:

    Insert the Windows CD into the CD-ROM drive and restart the computer.
    Click on "Repair Your Computer"
    When the System Recovery Options dialog comes up, choose the Command Prompt.
    Issue 'bootrec /fixmbr' command to restore the Master Boot Record
    Follow onscreen instructions
    Reset and remove the CD from CD-ROM drive.

    Variants

    United States - English